Retailers who do not protect their customers' credit card data could face fines. In the wake of significant credit card data breaches among some major retailers, including T.J. Maxx and others, credit card companies are set to crack down on merchants that do not comply.

Strict data protection guidelines were introduced by five of the leading credit card companies nearly two years ago. Yet only about 20 to 30 percent of small businesses meet the new standards, according to Louise Casamento, VP of marketing for Micros Systems Inc., based in Columbia, MD, that develops hardware and software for the hospitality and retail industries.

Starting this fall, Visa and MasterCard implemented plans to start levying new fines on larger companies that have not taken the recommended steps to protect consumers' data. They divide merchants into two groups for compliance purposes.

Those that conduct more than six million transactions annually are in Tier 1 and became subject to fines starting September 30th. Those that conduct between one and six million transactions are in Tier 2 and will be fined starting December 31st.

The fines will go directly to the merchant banks that offer the credit cards. The banks will then pass the fines on to retailers and restaurant operators that are not in compliance. Fines will range from $5,000 to $25,000 a month, according to Visa.

In December 2006, Visa reported that only 26 percent of its Tier 1 merchants and only 15 percent of its Tier 2 merchants were adhering to the new standards. During that year, Visa levied $4.6 million in fines on Tier 1 companies not in compliance, and companies that had security breaches. Visa also plans to spend up to $20 million on incentives for companies that had validated their compliance by August 31st.

The other three credit card companies that helped create the guidelines are American Express, Discover Financial Services and JCB. All are currently in the process of developing their own procedures.

Essentially, the standards require retailers to upgrade credit card processing systems to ensure credit card numbers aren't stolen. For example, merchants are required to implement systems that encrypt card data before it's sent to credit card processing companies. Receipts should contain only the last four digits of card numbers and not their expiration dates. In addition, such information as personal identification numbers, customer addresses and other data should no longer be stored on internal servers.

Dan Storey, an account executive with MICROS Systems, said that compliance efforts frequently cost small retailers less than $1,000. "They don't really understand what the ramifications are in not doing it," he said.